Related to the @kpnwebcare madness; here’s how you move to a more secure hashing algorithm without troubling users:

In an application we wrote back in 2004 I found MD5 hashed passwords. We decided this was too weak for modern standards so we wanted to switch to bcrypt . During the move we wanted the user to be affected as little as possible. In order to compute the crypted password we need the cleartext version. We only have a hashed version so the user has to type her password. Luckily they do this every time they authenticate, so that is a nice opportunity to upgrade their password. First I added a crypted_password column to the accounts table. We now have two columns for storing the password: the old hashed_password and the new crypted_password . add_column :accounts, :crypted_password, :string After that we updated the password accessor methods; assignment and verification. class Account def password=(password) if new_record? or !password.blank? self.crypted_password = BCrypt::Passw...